| From: | Pavel Stehule <pavel(dot)stehule(at)gmail(dot)com> |
|---|---|
| To: | "David G(dot) Johnston" <david(dot)g(dot)johnston(at)gmail(dot)com> |
| Cc: | Durumdara <durumdara(at)gmail(dot)com>, Postgres General <pgsql-general(at)postgresql(dot)org> |
| Subject: | Re: How to convert escaped text column - force E prefix |
| Date: | 2021-01-07 15:14:29 |
| Message-ID: | CAFj8pRAN+GTJH1XjsKH3eYxxmoLAsrF8UpOQw+76ihCC-oU5sA@mail.gmail.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-general |
čt 7. 1. 2021 v 15:50 odesílatel David G. Johnston <
david(dot)g(dot)johnston(at)gmail(dot)com> napsal:
> On Thursday, January 7, 2021, Pavel Stehule <pavel(dot)stehule(at)gmail(dot)com>
> wrote:
>
>>
>>
>> The vulnerability is almost the same although it is a little bit harder
>> to create attack strings.
>>
>
> Would making the function run as “security definer” and setting up a
> minimal permissions user/owner help with mitigation?
>
yes. It is a very different usage of security definer functions, but it can
work.
Regards
Pavel
> David J.
>
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Markhof, Ingolf | 2021-01-07 16:19:25 | How to keep format of views source code as entered? |
| Previous Message | David G. Johnston | 2021-01-07 14:50:30 | Re: How to convert escaped text column - force E prefix |